Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2085
Views
0
Helpful
4
Replies

IPSec Nat-T

Go to solution
faisalvt0807
Level 1
Level 1

‎12-12-2015 11:02 PM - edited ‎02-21-2020 08:35 PM

Dear Friends,

Platform Cisco 800Series

Router#Sh version 

Sample Output

Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2)

ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)

5 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
125496K bytes of ATA CompactFlash (Read/Write)

The above mentioned details is some information about my router and ios

I'm using DMVPN over GRE-Tunnel and it's working fine

We have one new requirement with one another partner, they are shared and requesting to configure IP sec VPN for the interconnection

Question :-

1. What is the basic different between DMVPN and IP Sec VPN ?

2. Is my router can do this?

3. if yes how can i disable NAT-T ?, Partner is requesting to disable it

4. how can i statically configure Nat-translation for inside and outside traffic in IP sec VPN ?

If i'm configuring IP sec VPN is there any problem will affect my existing DMVPN?

Please anybody can help me?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-13-2015 03:24 AM

> 1. What is the basic different between DMVPN and IP Sec VPN ?

DMVPN is also using IPsec for the traffic protection. But DMVPN also adds multipoint GRE and NHRP for additional functionality.

> 2. Is my router can do this?

Well, you are using it ... ;-)

> 3. if yes how can i disable NAT-T ?, Partner is requesting to disable it

First ask them why they want to disable it. NAT-T is part of the IPsec standard and only adds an additional UDP-Header if there is a NAT. If there is no NAT between the peers, NAT-T won't change the encapsulation. If the partner needs it to be turned off, then they are probably using a crappy implementation/platform.

If you still want to disable it:

no crypto ipsec nat-transparency udp-encapsulation

> 4. how can i statically configure Nat-translation for inside and outside traffic in IP sec VPN ?

NAT is done before encryption. Just configure your NAT rules to translate your traffic. The translated traffic is then matched against the crypto-ACLs.

> If i'm configuring IP sec VPN is there any problem will affect my existing DMVPN?

Both can coexist. But for sure, when configuring something incorrectly, you can cause problems for your existing config.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎12-13-2015 03:24 AM

> 1. What is the basic different between DMVPN and IP Sec VPN ?

DMVPN is also using IPsec for the traffic protection. But DMVPN also adds multipoint GRE and NHRP for additional functionality.

> 2. Is my router can do this?

Well, you are using it ... ;-)

> 3. if yes how can i disable NAT-T ?, Partner is requesting to disable it

First ask them why they want to disable it. NAT-T is part of the IPsec standard and only adds an additional UDP-Header if there is a NAT. If there is no NAT between the peers, NAT-T won't change the encapsulation. If the partner needs it to be turned off, then they are probably using a crappy implementation/platform.

If you still want to disable it:

no crypto ipsec nat-transparency udp-encapsulation

> 4. how can i statically configure Nat-translation for inside and outside traffic in IP sec VPN ?

NAT is done before encryption. Just configure your NAT rules to translate your traffic. The translated traffic is then matched against the crypto-ACLs.

> If i'm configuring IP sec VPN is there any problem will affect my existing DMVPN?

Both can coexist. But for sure, when configuring something incorrectly, you can cause problems for your existing config.

0 Helpful

Go to solution
faisalvt0807
Level 1
Level 1
In response to Karsten Iwen

‎12-13-2015 04:23 AM

Hello Karsten Iwen,

Thanks for your kind attention, tell me more about crappy implementation/platform.

If i'm applying these command is there any problem with my existing DMVPN

no crypto ipsec nat-transparency udp-encapsulation

can you please explain how to match translated traffic against Crypto-ACLs

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to faisalvt0807

‎12-13-2015 05:05 AM

> tell me more about crappy implementation/platform.

IPsec is a quite mature technology. In general it work quite well between different vendors. If your partner wants to have a specific component disabled, it could be an indication that his product is not that compatible with other vendors.

> If i'm applying these command is there any problem with my existing DMVPN
> no crypto ipsec nat-transparency udp-encapsulation

Can you make sure that you will never have a spoke (or your hub) behind a NAT? Then you should not disable it.

> can you please explain how to match translated traffic against Crypto-ACLs

Learning IPsec is probably not possible through a discussion-forum (you could spend a week-long training on the basics of IPsec on IOS). But with some google-search you will find some howtos on basic configuration.

0 Helpful

Go to solution
faisalvt0807
Level 1
Level 1
In response to Karsten Iwen

‎12-13-2015 11:25 PM

well thanks for your comment 

I have some idea about IP sec and i  spend a lot of my time for learning it a bit months ago, but the fact is i don't have real time experience.

Anyway your comment was very use full

Hope you are doing well............

Thank you

0 Helpful
Customers Also Viewed These Support Documents